Private Networking


    ┌─────your VPC───────────────┐                  ┌─────tpuf VPC───────────────┐
    │                            │░                 │                            │░
    │ ┌─────────┐ ┌─────────┐    │░                 │    ┌─────────┐ ┌─────────┐ │░
    │ │ client  │ │ client  │ ◀──┼──────────────────┼──▶ │ storage │ │ compute │ │░
    │ └─────────┘ └─────────┘    │░  PrivateLink/   │    └─────────┘ └─────────┘ │░
    │                            │░      PSC        │                            │░
    └────────────────────────────┘░                 └────────────────────────────┘░
     ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░                  ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

┌──your VPC───────────────┐
│                         │░
│ ┌─────────┐ ┌─────────┐ │░
│ │ client  │ │ client  │◀┼───┐
│ └─────────┘ └─────────┘ │░  |
│                         │░  |
└─────────────────────────┘░  |
 ░░░░░░░░░░░░░░░░░░░░░░░░░░░  |
                              |
              PrivateLink/PSC |
                              |
┌──tpuf VPC───────────────┐   |
│                         │░  |
│ ┌─────────┐ ┌─────────┐ │░  |
│ │ storage │ │ compute │◀┼───┘
│ └─────────┘ └─────────┘ │░
│                         │░
└─────────────────────────┘░
 ░░░░░░░░░░░░░░░░░░░░░░░░░░░

turbopuffer supports private network connections between your VPC and our multi-tenant regions.

AWS regions use AWS PrivateLink
GCP regions use GCP Private Service Connect

Private network connection across cloud providers (e.g. AWS => GCP) are not supported. Contact us if you need this.

Enforcement

By default, even after establishing a private network connection to a region, API requests for your organization will still be permitted via the public endpoint for the region.

Upon request, turbopuffer can enforce that all API requests for an organization are made via your private endpoints.

Pricing

Private networking is only available on the enterprise plan.
There are no usage-based fees for private network endpoints.

Setup

Provide turbopuffer support with:
- Your AWS account ID or your GCP project ID
- The region you want to establish a private connections to
Wait for turbopuffer to authorize connections from your cloud account
Establish a private network connection to the service name provided by turbopuffer support
- AWS: Create an interface VPC endpoint
- GCP: Create a Private Service Connect endpoint
Set the base_url in your client to the private endpoint for your region (see table below)

Region	Private Endpoint
aws-ap-southeast-2	https://privatelink.ap-southeast-2.turbopuffer.com
aws-eu-central-1	https://privatelink.eu-central-1.turbopuffer.com
aws-eu-west-1	https://privatelink.eu-west-1.turbopuffer.com
aws-us-east-1	https://privatelink.us-east-1.turbopuffer.com
aws-us-east-2	https://privatelink.us-east-2.turbopuffer.com
aws-us-west-2	https://privatelink.us-west-2.turbopuffer.com
aws-ap-south-1	https://privatelink.ap-south-1.turbopuffer.com
gcp-us-central1	https://psc.us-central1.turbopuffer.com
gcp-us-west1	https://psc.us-west1.turbopuffer.com
gcp-us-east4	https://psc.us-east4.turbopuffer.com
gcp-northamerica-northeast2	https://psc.northamerica-northeast2.turbopuffer.com
gcp-europe-west3	https://psc.europe-west3.turbopuffer.com
gcp-asia-southeast1	https://psc.asia-southeast1.turbopuffer.com
gcp-gcp-asia-northeast3	https://psc.gcp-asia-northeast3.turbopuffer.com